Firewall Wizards mailing list archives
Watchguard V60 capacity
From: User Scarr <scarr () ineocom com>
Date: Tue, 22 Jul 2003 11:48:49 -0400
Hey all,I'm wondering if anyone else on this list actively uses Watchguard Vclass units, and has run into some of the same "challenges" we have with them. We're using them to firewall a fairly active client with a good amount of web and SMTP traffic. We've got two of them in HA. What I'm hoping for (more than a rant session) is that someone has found some working solutions, or at least has the same issues we do. I suspect a fair number of these are Watchguard bugs, but I don't want to pay $250 each for the privilege of reporting them...
Some of the biggies at the tip of the iceberg;- Packet loss. I've identified the Watchguard Vclass units as the center of between 1% and 10% packet loss on a regular basis (ruling out switches and routers and even cables, which has been a bit of a process). Watchguard's support has suggested that I lower a connection idle timeout setting in debug mode from 3 minutes to 1 minute, which sounds reasonable, but I haven't tried it yet (production hours).
- High availability syncing. I've seen this on other HA devices, but never like this. The HA constantly complains that it can't sync, even though it does, and manual sync attempts (when editing or adding policies) seem to freeze the units, adding to the packet loss. The HA is fairly seamless though when it does happen, so they get points there.
- The built in load balancing. I know I know, I should probably get an independent device to handle the LB. The load balancing seems to freeze at random, and I end up with error messages in the logs like; "The load balancing server 0.0.0.0 is not responding". Of course, there's no server specified with that address. I'm using weighted least connections between two SMTP servers running Postfix.
I've used Netscreen, and to a lesser extent PIX devices in the past (and a few free software firewalls like IPFW and iptables / ipchains, etc), so the number of and severity of recent troubles I've had with these is a new experience for me. I have a feeling a lot of the problems are due to load, but since Watchguard boasts up to 200Mbps throughput (with the units in active/active HA) I can't imagine our 7Mbps spikes are causing them any heartburn.
Any thoughts, etc? Thanks, -- Simon Carr Ineocom Technologies Inc. http://www.ineocom.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Watchguard V60 capacity User Scarr (Jul 22)
- Re: Watchguard V60 capacity Tosk (Jul 23)
- Re: Watchguard V60 capacity User Scarr (Jul 24)
- Re: Watchguard V60 capacity Jim McAtee (Jul 25)
- Re: Watchguard V60 capacity User Scarr (Jul 24)
- Re: Watchguard V60 capacity Tosk (Jul 23)